How Open Source Softwares Put Your Company at Risk
Open source softwares are programs which offer the user options to change, modify, improve, or even downgrade the program. The defining factor in open source software is that usually it is enhanced or developed in a very public manner. Due to its nature, these softwares are usually freely distributed. Open source softwares have helped individuals and businesses save money from buying otherwise expensive but necessary softwares.
There are numerous open-source softwares existing in the market. Endless options of open source softwares give small businesses and corporations an expense holiday in the fields of I.T. It has been loosely reported that open source softwares have given consumers US$60 billion in savings a year.
Open source softwares are indeed a way to cut down on expenses fast, but are companies putting too much trust on these programs? According to a recent study, choosing to use open source softwares may put companies in danger. The study expresses that users / consumers of open source softwares disregard the outlined practices which helps them face the high-security risk that these softwares come with.
Fortify Softwares, together with Larry Suto, initiated the research about the risks of open source software. To test the niche, they used open source software packages and evaluated them as against the consumers’ experiences of security difficulties. The research stretched for over 3 months and was successful at drawing a conclusion. The group’s aim was to survey the users for each of the softwares they have numbered and their receptiveness to the each of its security weak points, issues, and guides.
The open source softwares used for the research were compared to each other by pinning how its users view their strengths and weaknesses in security management. For example, a particular open source software, Tomcat, excelled in the area by which its security practices were evaluated as being welcomed by its users the best. While this is a notable achievement for Tomcat, the other open source programs showed disappointing performance in that specific area. Second place goes to Jboss, an application server, which did a great job in maintaining its security information link provided in their website. Jboss offers a strong access line for companies / security experts, but still needs improvement in areas of creating a precise e-mail path for collecting security issues from its users.
Consumers generally dislike reporting security issues to public mailing lists for fear of not having enough privacy. This is backed-up by Fortify’s manager – Jacob West. Likewise he also expressed a necessity for measuring the user’s privacy when reporting issues about the programs. This will let the developers publish the improvements/ developments publicly to avoid the risk or other individuals abusing information posted by the reporter.
Market shows that freely available open source programs are weaker in dedicating security to its users as compared to their monetized counterparts. Those programs for sale have the time and money to focus on security support, while the freely distributed ones lack such.
Users – whether be individuals or corporations – have trouble getting direct help about these open source programs. They may have websites that offer little information about the developers, and a in some cases general e-mail links that lead nowhere. There’s no assurance that consumers will get specific solutions provided for program issues they may encounter.
Often, open source softwares can be caught proclaiming praises for themselves particularly commercial accreditations and recommendations when in fact they lack the initiative in moving towards better, and safer industry practices. There are some open source program developers who are strengthening their consumer centric approaches, but most of the industry participants don’t show much interest in this.
Although it may seem like the research is trying to attack the open source industry, note that this is not the case at all. The research puts forward a very unbiased and detailed account of how today’s open source softwares must improve on their particular security approaches because the industry’s growth is speedy.
Fortify board member and former cyber-security leader for the Whitehouse, Howard Schmidt, emphasizes the need of receptiveness by the open source community to the issues and feedbacks of their program. Businesses and individuals face the same security issues in using these programs; details such as contact e-mails should be common knowledge and offered first-hand.
Open source programs may aid in cost-saving practices in enormous accounts, but its faulty security approaches may endanger its users. There must be a continuous and solid stream of development – a collaborative effort by the users and developers themselves.
Businesses and government agencies that depend on such programs have the option to help the softwares improve by disseminating the data they have collected over their own experiences to the public.
As the study indicates, developers tend to ignore the issues and problems their softwares encounter. In a situation like this, everyone is for each their own. Users may have the option to help develop the programs themselves but there is no urgent responsibility upon a user to help the community.